.jpg)
Manob Ganguly,
University of Petroleum and Energy Studies
INTRODUCTION
Data privacy is considered the right of an individual to control their personal information regarding its collection, storage, use, sharing, or protection. Personal data may range from basic contact information to extremely sensitive information such as financial, health, and biometric information.
The digital age has culminated in an enormous increase in data collection, with businesses and organizations now hosting huge reams of personal information. These data are not only useful for various purposes but also carry potential harmful risks to individual identity theft, fraud, and discrimination, to mention but a few.
These concerns resulted in a robust legal and regulatory framework. Data privacy laws, such as the GDPR, CCPA, etc., bind organizations dealing with personal data to strict obligations about transparency, accountability, and individual rights.
After all, data privacy underpins individual freedoms by providing trust and ensuring security within the digital environment[i]
OBJECTIVE
The present paper is an attempt at updating the readers on the delineation of India's data privacy contour and to trace a trail from the Information Technology Act, 2000, to the up-and-coming Digital Personal Data Protection Act, 2023. It will deliberate on the strengths and weaknesses of India's data protection framework by benchmarking against global standards, specifically GDPR. This would also be termed a landmark study wherein cybersecurity ensures the security of personal data and its interrelation with the laws relating to privacy. The important data breaches that occurred would also form a significant aspect of this study in terms of their impacts on public trust and existence guarding. It will find out the ways of potential improvements in the field of data protection and cybersecurity within the country of India, thus contributing to the policymaking or industry standards in effect.
METHODOLOGY
This paper, therefore, employs a mixed-method approach to explore in much greater detail the complex interplay between data privacy and cybersecurity on the Indian ground. Doctrinal research methodology forms the bedrock of the present study in analyzing legislation, judicial precedents, and scholarly works in providing robust understanding over the legal and regulatory landscape.
Besides this, with the resultant contextual doctrines, the article attempts to underpin the position through empirical research based on certain case studies of significant data breaches in India. These case studies show the actual implications of data privacy violations in the real world and the effectiveness, non-effectiveness, or drawbacks of such existing safeguards. The paper also presents the analysis against global data protection regimes, in particular the GDPR, and spells out the best practices and areas where improvement is possible for adoption in India.
This study intends to add real value to understanding the nuances, the issues, and the opportunities looming in the data privacy and cybersecurity scenario across India.
LITERATURE REVIEW
Though studies on India's data privacy and cybersecurity landscape are burgeoning, it draws on research by Bhatia, Bhabha, Abraham, Hickok, Greenleaf, Kshetri, Jain, Gyanchandani, Kulkarni, Kalro, Srikumar, and Agarwal for a deeper understanding of the country's evolving regime for protection of data, challenges in cybersecurity, and the impact of data breaches. However, these studies point to further research for long-term implications.
HYPOTHESIS
A yawning chasm lies between India's extant regime for protection of personal data and the robust framework needed to secure personal data in the digital age. With rising incidents of data breaches, it undermines public trust in digital platforms and institutions. Consequently, it is postulated that a holistic regime change relating to data protection, along with robust measures for cybersecurity, would be a sine qua non if rights of citizens are to be protected, innovation fostered, and the competitive advantage of India vis-à-vis the global digital economy retained.
I. The Critical Role of Data Privacy
We are living in the information age; whereby personal data is worth more than ever. Sharing personal data has never been more frequent than with the advent of social media, online shopping, and online banking. Even though these technologies made life more convenient for us, they also gave birth to new risks concerning our privacy and security. We would, therefore, wish to get a little deeper into why data privacy is of this importance and how you can protect yourself digitally.
Our personal information has value in more than one sense. Advertisers use it to target us through personalized ads. Social media companies use our information to know our behaviors and hence present to us what interests us more. However, when our personal data goes into the wrong hands, it can be misused for other ill purposes. Hackers sell our personal information to someone and commit identity theft, break into bank accounts, or even blackmail people.
Besides these risks, there are other ethical concerns related to how companies make use of our personal data. Many people are uncomfortable with being monitored and tracked everywhere online. The Cambridge Analytica Case[ii] brought a spotlight to these concerns when it was revealed that a political consulting firm harvested data from millions of Facebook users without their consent.
Data protection is an emanating concern in this digital era. In today's world, where all personal information is shared online, it is important to be wary of the many risks and take precautionary steps to protect oneself. By having a good, strong password, not being overly careless in sharing personal information, and checking our accounts regularly, we can reduce our risk of falling victim of cybercrime.[iii]
II. Cybersecurity: The Guardian of Personal Data
Cybersecurity refers to the state or process of protecting and recovering computer systems, networks, devices, and programs from any kind of cyber-attack. Cyber-attack is an increasingly sophisticated and evolving danger to sensitive data, since the attackers use new methodologies driven by social engineering and artificial intelligence to bypass traditional data security controls.
The fact is that the world is increasingly dependent on technology, and the dependency will grow with the next wave of modern technology that shall be coming in to access our connected devices via Bluetooth and Wi-Fi.
Strong password policies with multi-factor authentication, combined with intelligent cloud security solutions, should be in place to minimize such unauthorized access, and protect customer data vis-à-vis modern technology.[iv]
One of the major reasons that really makes cybersecurity important is personal information protection. Cybercriminals look forward to personal information, including our names, addresses, tax file numbers, and credit card details as the lifeblood. Without this information, they cannot do fraudulent activities or steal from our accounts. With proper measures of cybersecurity, we can in some ways ward off these kinds of attacks and avoid having our personal information compromised.
Another reason that cybersecurity is important is that it helps in protecting our businesses and organizations. Modern businesses depend so much on technology and the Internet to run their operations. They store sensitive information regarding financial records, employee data, and customer information on their servers and across their networks. The implications of this information falling into the wrong hands could be devastating for businesses. This will help in safeguarding this information and keeping it out of the cybercriminals' hands.
Cybersecurity also plays a significant role in preserving our national security. Governments and military organizations make use of technology and the power of the internet to run their activities. A cyber-attack on such organizations would have dire consequences. Cybersecurity measures are in place to protect against these types of attacks and keep our country safe.
Lastly, cybersecurity is important for the economy. Cyber-attacks can result in lost business revenues and productivity for those enterprises under attack. This might further lose customers' confidence and damage the reputation of a company. The implementation of safer cybersecurity will help businesses protect themselves from these kinds of attacks and keep our economy strong.[v]
III. Data Privacy in India: A Growing Imperative
This sensitivity towards questions relating to data protection and privacy is gradually increasing in the Indian context within the regime of our existing laws. Partial relief to this deficiency in legislation has come from recent industry, public, and government initiatives for a legal framework aiming to protect data. Companies intending to do business in India are advised to comply with local laws, particularly given the fast-changing legal environment relating to data protection.
Though there is no umbrella legislation in the country exclusively to protect privacy and personal data, several laws relating to information technology do exist. In 2014, a draft of a privacy protection bill was submitted to parliament, indicating an appreciation for greater data protection. Until then, without new legislation, existing laws and rules must be stretched to the maximum for protection of personal data.
The right to privacy is guaranteed by the Indian Constitution under Article 21, which covers freedoms extending to life and liberty. While courts in India have recognized basic rights to privacy, their scope and constraints are yet open to judicial interpretation. Personal data protection and privacy-related concerns are evolving through the legal system and, therefore, show the requirement for a strong regulation in data privacy within the country.[vi]
THE CURRENT LANDSCAPE OF DATA PRIVACY LAWS IN INDIA
The current Indian landscape of laws on data privacy is essentially governed by the Digital Personal Data Protection Act, dated August 11, 2023. This is a broad legislation aimed at developing a robust framework for the protection of personal data, protecting the rights of individuals while imposing corresponding responsibilities on entities tasked with processing information. Accordingly, the DPDPA will be a crucial step toward aligning India's framework for the protection of data in compliance with international standards, particularly considering the rapid digital transformation the country has been undergoing.
Before the DPDPA, India's data privacy landscape was governed by the Information Technology Act of 2000 and the Rules thereunder, which provided for reasonable security practices but remained silent regarding mechanisms to ensure adequate safeguards for the exercise of individual rights to privacy. This resulted in apparent fragmentation of laws, causing big gaps in the protection of citizens' personal information and limited accountability for breaches of data. To this end, the DPDPA replaces such a patchwork of laws with an integrated approach to data protection.
I. India's Data Protection Landscape: An Analysis of the IT Act, 2000
The Information Technology Act 2000 in India was critical to the creation of legislative frameworks that would help in dealing with the rising challenges caused by the new digital world. The cybercrime law was a measure by India to try and contain online fraud, online harassment, as well as other cyber threats raking the country. Nevertheless, the effectiveness of the IT Act in coping with the increasing cyber dangers is being reappraised. Compared to 2022, the country recorded 2,138 weekly cyber-attacks per company in 2023, which is an absolute increase of 15%. This places India as the second most hard-hit country in the Asia Pacific region, only next to Taiwan.
It provides a legal framework for e-governance, as the Act acknowledges e-records and digital signatures. In addition, it defined cybercrime and punishment for those crimes. It made mandatory the establishment of a Controller of Certifying Authorities which would monitor the issuing of digital signatures. For the complications and problems developed relating to the new law, it also prescribed for a Cyber Appellate Tribunal. This Act also amended some of the provisions of the Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Banker's Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934, to make them more technology friendly.
This Act extends to the whole of India. If any offence which involves a computer or network situated in India, then people of different countries can be punishable under this law.
This cybercrime law underwent a major amendment in the year 2008. It introduced the much-criticized Section 66A, which turned the transmission of "offensive messages" into a criminal offense. It introduced Section 69, authorizing state agencies to "intercept, monitor, or decrypt any information transmitted, received or stored through any computer resource." It introduced new provisions dealing with pornography, child pornography, cyber terrorism, and voyeurism. The amendment was passed on December 22, 2008, in the Lok Sabha, without any debate. The very next day, it was approved by the Rajya Sabha. Thereafter, on 5 February 2009, it was signed into law by then President Pratibha Patil.
II. India's Path to Data Privacy: An Analysis of the Personal Data Protection Bill
The Personal Data Protection Bill (PDPB) is an attempt at a wide-ranging legal framework for processing personal data in India, driven by the requirement of robust data privacy in a rapidly digitizing world. It tries to protect the rights of individuals—called data principals—against those who manage personal data, referred to as data fiduciaries. This bill recognizes the right to privacy as a fundamental right, trying to strongly uphold and protect the autonomy of the individual with regard to data governance.[vii]
It introduces a number of key provisions of the PDPB, all of which are focused on rights and responsibilities. Rights given to the data principals include access to their data, correcting inaccuracies, and erasure of personal data on request. Regarding the data principle, a Data Fiduciary shall seek informed consent from individuals before processing their data, ensure its accuracy, and adopt appropriate security measures against breaches. In addition, some further and more demanding, specific responsibilities of the relevant data fiduciary entail the appointment of the Data Protection Officer.
The Personal Data Protection Bill, indeed, marks a good step for the country in the direction of a strong data privacy legislative framework. The way ahead will certainly involve stakeholders in a continuous dialogue, sustained growth of the regulators, and watching the emerging challenges in the data protection landscape. The future of Indian data privacy will most likely boil down to how well the PDPB is enforced and absorbs into the evolving digital ecosystem.
III. India's Data Privacy Law: A Global Benchmarking Exercise
Global data privacy laws have been enacted with increased vigility to protect the personal data of citizens; the European Union's General Data Protection Regulation is one such example. Even the PDPB in India has made a focused attempt to bring itself up to the mark as per global standards, but it still lags far behind the GDPR in many aspects.
More specifically, under the GDPR, any organization that processes the personal data of individuals residing in the EU comes under its ambit, no matter where the organization is geographically located, reflecting its wide extraterritorial reach. Quite similarly, the PDPB seeks to cover all entities which process personal data of individuals in India—the scope becomes very wide—but limits its application to only digital personal data, thus exempting offline data and anonymized data. This narrow scope of coverage creates an opening for a lacuna against the broad, inclusive reach of the GDPR for various types of data.[viii]
It provided for several rights under the GDPR, such as data portability and the right to be forgotten, which further enhance control over personal information. That aside, similar rights were provided for under the PDPB, which include access, correction, and erasure, but the latter does not provide for data portability and the right to be forgotten. This makes up huge differences between both regarding the protection of individual privacy rights under the PDPB, not the GDPR.[ix]
While the PDPB is a sea-changing improvement in having some form of data privacy in India, critical gaps with the GDPR dictate that the refining of the law is still an ongoing process. International practices can be drawn on to further strengthen PDPB in its ability to protect personal data and increase trust in the Digital Economy of India.
CYBERSECURITY: THE SHIELD FOR DATA PRIVACY
Cybersecurity and data privacy are of paramount importance in keeping unwanted access to information at bay and ensuring that the people concerned remain in control of their information. It brings into light how they are interdependent, new threats emerging, and what new technologies would change the way we relate digitally.
It is, therefore, very critical to cybersecurity, since it offers protection that guards personal information from unauthorized access and cyber threats. Absence of stringent cybersecurity measures would make it more likely for personal data to turn vulnerable and easily breached, thus erosion of individual privacy rights.
I. Cybersecurity as the Foundation of Data Protection
Cybersecurity is a measure taken to prevent unauthorized selling or access to sensitive data. It may mean the techniques and practices that ensure entities protect the integrity, confidentiality, and availability of data. Implementation of effective strategies in cybersecurity greatly improves data protection, hence securing a company or organization from data breach and its users from mistrust.
Of course, one of the very vital elements of cybersecurity is encryption, which makes sensitive information unreadable to any unauthorized access. Strong encryption methods will protect data both at rest and in transit. This will not only help in securing personal information but also be important in compliance with set regulations on the protection of such data, hence bringing down the exposure in case of a breach.[x]
Basically, firewalls were the first line of defense designed for surveillance and control over both inbound and outbound traffic in a computer network, based on predetermined security rules. In their functionality, they basically act as barriers between trusted internal networks and untrusted external networks to prevent unauthorized access. Proper implementation of firewalls can block cyber threats at the outer boundary and thus prevent them from getting inside organizational networks; this improves the security of data.
Regular security audits can help companies find the loops in their cybersecurity setup. Software, firewalls, and other security policies are updated regularly to ensure that data protection is at its best. Keeping up with the latest threats and trying to defend them helps an organization in effectively and efficiently minimizing risks and increasing their cybersecurity posture.[xi]
II. The effectiveness of privacy laws in relation to data breaches
Data breaches are quite common these days, as millions of people are affected by some form of exposure, putting a spotlight on the current crisis of a lack of meaningful privacy legislation. If the rate of breaches goes up, so does the effectiveness of privacy regulatory actions—a relationship reminding one of the key issues that legislators and organizations try to overcome. It demonstrates how lax security practices can make for full-scale violations of a person's right to privacy, as evidenced by the breach at the Georgia Medical Care Foundation, which exposed information on over 1.3 million individuals (about the population of New Hampshire).
Positive effects of laws like the General Data Protection Regulation on the rate of data breaches have been evidenced in privacy laws. These regulations put a mandate on every organization to have stringent security measures in place in order to protect personal data more effectively, and thereby potentially reduce the likelihood of experiencing a breach. A study showed that the implementation of GDPR reduced data breaches involving small businesses. This attests to robust privacy laws having a shielding effect to reduce data exposure.[xii]
While there have been many evolutions in privacy laws, some challenges remain in providing full coverage against data breaches. Most of these laws exist as fragmented bits that may not cover all aspects of data security, hence creating loopholes that cybercriminals may capitalize on. The sectorial regulation patchwork, very often, leaves many organizations confused, frustrated in their bid to comply adequately. This could amount to continued vulnerability and, therefore, severely limit the effectiveness of such privacy laws in shielding against possible data breaches.[xiii]
The relationship between data breaches and the effectiveness of privacy laws plays a critical role in developing an overall approach to data protection. Though current legislation, especially the GDPR, has given an early indication that it will have positive effects on breach reduction and compliance incentivization, existing challenges and the need for adaptability call for continuous re-assessments of the legal landscape to ensure robust future protection from data breaches.
III. Cases of Data Breaches in India: A Trust Crisis
This is estimated as one of the largest data breaches in Indian history, bearing in mind that this data is biometric and belongs to over 1.1 billion citizens. With personal information ranging from names to 'Aadhaar' numbers and even biometric data such as iris scans and fingerprints having fallen into unauthorized hands, many have raised concerns over personal privacy and data security.
The high frequency of data breaches related to Aadhaar raised several eyebrows over the government's competence in handling sensitive information belonging to citizens. This has led to a massive loss of faith not just in the Aadhaar system per se but also in the entirety of state institutions. With several data misuses and the chance of identity theft on the rise, citizens have felt more and more anxious, reducing their ability to participate in digital identity systems.[xiv]
The 2021 Facebook data breach exposed the personal information during the corpus part of data release of 6.1 million Indians and a total of 533 million users around the world. This consisted of user phone numbers, full names, locations, and dates of birth and, thus, was a source of concern for many associated with privacy—who view it to create vulnerability for its potential exploitation.
The aftermath of the Facebook breach led in fact to a huge public backlash, as users became very suspicious about the capacity of the platform to keep their personal information secure. Since the initial days, the absence of proactive communication by Facebook has drawn skepticism of the protection of privacy rendered by social networking sites, which created an emerging need for greater regulations and accountability measures.[xv]
CONCLUSION
The importance of data privacy is growing in India, as has been readily witnessed through the changing legal and regulatory environment. It has also taken serious steps to address issues related to data protection and has ultimately led to the Digital Personal Data Protection Act of 2023. This comprehensive legislation would help bring the framework of data privacy in India in line with global standards and allow people more control over personal information.
The analysis, however, proves that lacunae still exist between India's data privacy laws and more stringent frameworks like the GDPR. Limited scope of PDPB, non-provision for data portability and the right to be forgotten, and fragmentation of related laws are some of the reasons that indicate the need for further refinement in the interest of better protection of the individual's privacy rights.
Among these, cybersecurity underpins effective data protection, which includes encryption, firewalls, and regular security audits. The fact that privacy laws help to reduce data breaches suggests the interrelation of the two areas and that protection of personal information needs to be well-rounded.
The big-ticket data breach cases involving Aadhaar and Facebook were bound to shake public confidence and show the vulnerabilities in the country's data protection landscape. Restoring faith in the digital ecosystem would, therefore, require continued efforts at strengthening accountability, transparency, and robust security measures on the part of policymakers, regulators, and business enterprises.
With the digitalization of India, the requirement for both comprehensive and enforceable data privacy laws on one hand and rigorous cybersecurity practices on the other is gaining momentum. The way forward lies in collaborative efforts by stakeholders to ensure that at all times, the individual's rights and freedoms are not compromised in the face of emerging technological challenges and risks of data exploitation.
REFERENCES
[i] What is Data Privacy? | Definition from TechTarget, CIO, https://www.techtarget.com/searchcio/definition/data-privacy-information-privacy ( last accessed Aug 5, 2024).
[ii] Cambridge Analytica | Digital Watch Observatory https://dig.watch/trends/cambridge-analytica ( last accessed Aug 6, 2024)
[iii] The Importance of Data Privacy in Digital Age, https://www.linkedin.com/pulse/importance-data-privacy-digital-age-thetechmarketer/ (last accessed Aug 6, 2024).
[iv] Why is Cybersecurity Important | UpGuard, https://www.upguard.com/blog/cybersecurity-important ( last accessed Aug 7, 2024).
[v] Sentrient, The importance of Cybersecurity in Today’s Digital World, Sentrient Blog (Mar 17, 2024), https://www.sentrient.com.au/blog/the-importance-of-cybersecurity-in-todays-digital-world ( last accessed Aug 7, 2024).
[vi] Dhiraj R. Duraiswami, Privacy and Data Protection in India, 6 JOURNAL OF LAW AND CYBER WARFARE 166 (2017), http://www.jstor.org/stable/26441284 ( last accessed Aug 7, 2024).
[vii] Understanding India’s Personal Data Protection Bill (PDPB) | Tripwire, https://www.tripwire.com/state-of-security/understanding-india-personal-data-protection-bill-pdpb#:~:text=Personal%20data%20is%20defined%20under%20the%20PDPB%20as%20%E2%80%9Cany%20data%20about%20an%20individual%20who%20is%20identifiable%20by%20or%20in%20relation%20to%20such%20data.%E2%80%9D%20Because%20the%20bill%20only%20applies%20to%20digitized%20personal%20data%2C%20there%20are%20areas%20not%20covered%2C%20including%20anonymized%20data%2C%20non%2Ddigitized,of%20grievances., ( last accessed Aug 8, 2024).
[viii] Comparing GDPR and DPDPA | Data Protection Laws in EU and India, https://secureprivacy.ai/blog/comparing-gdpr-dpdpa-data-protection-laws-eu-india#:~:text=Explore%20the%20differences%20and%20similarities%20between%20the%20General%20Data%20Protection%20Regulation%20%28GDPR%29%20in%20the%20European%20Union%20and%20the%20Digital%20Personal%20Data%20Protection,for%20businesses. ( last accessed Aug 8, 2024).
[ix] Kathrin Gardhouse, India Privacy Bill and Understand the Impact of GDPR, PRIVATE AI (Aug 21, 2023), https://www.private-ai.com/en/2023/08/21/indias-privacy-bill-gdpr/#:~:text=%2D%20%E2%80%93%20The%20GDPR%20does%20not%20have%20any%20exemptions%20for%20state%20agencies%20or%20public%20authorities%20from%20obtaining%20consent%20or%20following%20other%20obligations%20under%20the%20regulation.%20The,individual%20rights., (last accessed Aug 8, 2024).
[x] Joakim Rodrigues, Top 5 Methods of Protecting Data, TITANFILE (Apr. 1, 2024), https://www.titanfile.com/blog/5-methods-of-protecting-data/ ( last accessed Aug 8, 2024).
[xi] What are the benefits of a Firewall? PALO ALTO NETWORKS, https://www.paloaltonetworks.com/cyberpedia/what-are-the-benefits-of-a-firewall, (last accessed Aug 8, 2024).
[xii] IT Governance USA, Data Breaches in USA in June 2024: 10,527,091 People Impacted, IT GOVERNANCE USA BLOG (2024), https://www.itgovernanceusa.com/blog/data-breaches-in-the-usa-in-june-2024-10527091-people-impacted, (last accessed Aug 8, 2024).
[xiii] Mathew Maundrill, How Effective Is Data Protection Legislation?, Senetas (2024), https://www.senetas.com/how-effective-is-data-protection-legislation/ (last visited Aug 8, 2024).
[xiii]
[xiv] Rithik V. Gopal, Aadhar Data Breach - How Sensitive Data Of 1.3 Billion Indians Was Compromised, MEDIUM (Dec 19, 2022), https://medium.com/@rithikvgopal/aadhaar-data-breach-how-sensitive-data-of-1-3-billion-indians-was-compromised-cb01d0c2d7d3, (last accessed Aug 8, 2024).
[xv] Facebook data leak includes personal info of 6 million users in India, the story so far, INDIA TODAY (2021), https://www.indiatoday.in/technology/news/story/facebook-data-leak-includes-personal-info-of-6-million-users-in-india-the-story-so-far-1787186-2021-04-05, ( last accessed Aug 8. 2024).